13 glance. Let us first look, as a case-study, at how access |
13 glance. Let us first look, as a case-study, at how access |
14 control is organised in Unix-like systems (Windows systems |
14 control is organised in Unix-like systems (Windows systems |
15 have similar access controls, although the details might be |
15 have similar access controls, although the details might be |
16 quite different). Then we have a look at how secrecy and |
16 quite different). Then we have a look at how secrecy and |
17 integrity can be ensured in a system, and finally have a look |
17 integrity can be ensured in a system, and finally have a look |
18 at shared access control in multi-agent systems. |
18 at shared access control in multi-agent systems. But before we |
19 |
19 start, let us motivate access control systems by the kind of |
|
20 attacks we have seen in the last lecture. \bigskip |
|
21 |
|
22 \noindent There are two further general approaches for |
|
23 countering buffer overflow attacks (and other similar |
|
24 attacks). One are Unix-like access controls, which enable a |
|
25 particular architecture for network applications, for example |
|
26 web-servers. This architecture minimises the attack surface |
|
27 that is visible from, for example, the Internet. And if an |
|
28 attack occurs the architecture attempts to limit the damage. |
|
29 The other approach is to \emph{radically} minimise the attack |
|
30 surface by running only the bare essentials on the web-server. |
|
31 In this approach, even the operating system is eliminated. |
|
32 This approach is called \emph{unikernel}. |
|
33 |
|
34 A \emph{unikernel} is essentially a single, fixed purpose |
|
35 program running on a server. Nothing else is running on the |
|
36 server, except potentially many instances of this single |
|
37 program are run concurrently with the help of a |
|
38 hypervisor.\footnote{Xen is a popular hypervisor; it provides |
|
39 the mechanism of several virtual machines on a single |
|
40 computer.} This single program implements the functionality |
|
41 the server offers (for example serving web-pages). The main |
|
42 point is that all the services the operating system normally |
|
43 provides (network stack, file system, ssh and so on) are not |
|
44 used by default in unikernels. Instead, the single program |
|
45 uses libraries (the unikernel) whenever some essential |
|
46 functionality is needed. The developer only needs to select a |
|
47 minimal set of these libraries in order to implement a server |
|
48 for web-pages, for example. In this way, ssh, say, is only |
|
49 provided, when it is absolutely necessary. |
|
50 |
|
51 Unikernels are a rather recent idea for hardening servers. I |
|
52 have not seen any production use of this idea, but there are |
|
53 plenty of examples from academia. The advantage of unikernels |
|
54 is the rather small footprint in terms of memory, booting |
|
55 times and so on (no big operating system is needed). This |
|
56 allows unikernels to run on low-coast hardware such as |
|
57 Raspberry Pis or Cubieboards, where they can replace much more |
|
58 expensive hardware for the same purpose. The low booting times |
|
59 of unikernels are also an advantage when your server needs to |
|
60 scale up to higher user-demands. Then it is often possible to |
|
61 just run another instance of the single program, which can be |
|
62 started almost instantly without the user seeing any delay |
|
63 (unlike if you have to start, say, Windows and then on top of |
|
64 that start your network application). One of the most |
|
65 well-known examples of a unikernel is MirageOS available from |
|
66 |
|
67 \begin{center} |
|
68 \url{https://mirage.io} |
|
69 \end{center} |
|
70 |
|
71 \noindent This unikernel is based on the functional |
|
72 programming language Ocaml, which provides added security |
|
73 (Ocaml does not allow buffer overflow attacks, for example). |
|
74 If you want to test the security of MirageOS, the |
|
75 developers issued a Bitcoin challenge: if you can break into |
|
76 their system, you can get 10 Bitcoins |
|
77 |
|
78 \begin{center} |
|
79 \url{http://ownme.ipredator.se} |
|
80 \end{center} |
|
81 |
|
82 However, sometimes you cannot, or do not want to, get rid of |
|
83 the operating system. In such cases it is still a good idea |
|
84 to minimise the attack surface. For this it helps if the |
|
85 network application can be split into two parts---an |
|
86 application and an interface: |
|
87 |
|
88 \begin{center} |
|
89 \begin{tikzpicture}[scale=1] |
|
90 |
|
91 \draw[line width=1mm] (-.3, 0) rectangle (1.5,2); |
|
92 \draw (4.7,1) node {Internet}; |
|
93 \draw (-2.7,1.7) node {\footnotesize Application}; |
|
94 \draw (0.6,1.7) node {\footnotesize Interface}; |
|
95 \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}}; |
|
96 \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; |
|
97 |
|
98 \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); |
|
99 |
|
100 \draw[white] (1.7,1) node (X) {}; |
|
101 \draw[white] (3.7,1) node (Y) {}; |
|
102 \draw[<->, line width = 2mm] (X) -- (Y); |
|
103 |
|
104 \draw[<->, line width = 1mm] (-0.6,1) -- (-1.6,1); |
|
105 \end{tikzpicture} |
|
106 \end{center} |
|
107 |
|
108 \noindent The idea is that all heavy-duty lifting in the |
|
109 application (for example database access) is done by a |
|
110 privileged process. All user input from the internet is |
|
111 received by an \emph{un}privileged process, which is |
|
112 restricted to only receive user input from the Internet and |
|
113 communicates with the privileged process. This communication, |
|
114 however, needs to be sanitised, meaning any unexpected |
|
115 user-input needs to be rejected. The idea behind this split is |
|
116 that if an attacker can take control of the |
|
117 \emph{un}privileged process, then he or she cannot do much |
|
118 damage. However, the split into such privileged and |
|
119 unprivileged processes requires an operating system that |
|
120 supports Unix-style access controls, which look at next. |
20 |
121 |
21 \subsubsection*{Unix-Style Access Control} |
122 \subsubsection*{Unix-Style Access Control} |
22 |
123 |
23 Following the Unix-philosophy that everything is considered as |
124 Following the Unix-philosophy that everything is considered as |
24 a file, even memory, ports and so on, access control in Unix |
125 a file, even memory, ports and so on, access control in Unix |
115 \end{itemize} |
216 \end{itemize} |
116 |
217 |
117 \noindent This will typically involve quite a lot of programs |
218 \noindent This will typically involve quite a lot of programs |
118 on a Unix system. I counted 90 programs with the setuid |
219 on a Unix system. I counted 90 programs with the setuid |
119 attribute set on my bog-standard Mac OSX system (including the |
220 attribute set on my bog-standard Mac OSX system (including the |
120 program \pcode{/usr/bin/login} for example). The problem is |
221 program \pcode{/usr/bin/login}). The problem is that if there |
121 that if there is a security problem with only one of them, be |
222 is a security problem with only one of them, be it a buffer |
122 it a buffer overflow for example, then malicious users can |
223 overflow for example, then malicious users can gain root |
123 gain root access (and for outside attackers it is much easier |
224 access (and for outside attackers it is much easier to take |
124 to take over a system). Unfortunately it is rather easy to |
225 over a system). Unfortunately it is rather easy to cause a |
125 cause a security problem since the handling of elevating and |
226 security problem since the handling of elevating and dropping |
126 dropping access rights in such programs rests entirely with |
227 access rights in such programs rests entirely with the |
127 the programmer. |
228 programmer. |
128 |
229 |
129 The fundamental idea behind the setuid attribute is that a |
230 The fundamental idea behind the setuid attribute is that a |
130 file will be able to run not with the callers access rights, |
231 file will be able to run not with the callers access rights, |
131 but with the rights of the owner of the file. So |
232 but with the rights of the owner of the file. So |
132 \pcode{/usr/bin/login} will always be running with root access |
233 \pcode{/usr/bin/login} will always be running with root access |
363 |
464 |
364 \begin{center} |
465 \begin{center} |
365 \includegraphics[scale=0.45]{../pics/pointsplane.jpg} |
466 \includegraphics[scale=0.45]{../pics/pointsplane.jpg} |
366 \end{center} |
467 \end{center} |
367 |
468 |
|
469 %\begin{center} |
|
470 %\begin{tikzpicture} |
|
471 % |
|
472 % \draw[->,line width=0.5mm] (0,0,0) -- (2,0,0); |
|
473 % \draw[->,line width=0.5mm] (0,0,0) -- (0,2,0); |
|
474 % \draw[->,line width=0.5mm] (0,0,0) -- (0,0,2); |
|
475 % |
|
476 % \path[draw] (-1,-4) to[out=20,in=220] (3,3); |
|
477 % \path[draw] (6,-7) to[out=40,in=210] (9,1); |
|
478 % \path[draw] (-1,-4) to[out=0,in=80] (6,-7); |
|
479 % \path[draw] (3,3) to[out=10,in=140] (9,1); |
|
480 % |
|
481 %\end{tikzpicture} |
|
482 %\end{center} |
|
483 |
368 \noindent The idea is to use the points as keys for each level |
484 \noindent The idea is to use the points as keys for each level |
369 of shared access. The CEO gets the point directly. The MDs get |
485 of shared access. The CEO gets the point directly. The MDs get |
370 keys lying on a line and the Ds get keys lying on the plane. |
486 keys lying on a line and the Ds get keys lying on the plane. |
371 Clever, no? Scaling this idea to more dimensions allows for |
487 Clever, no? Scaling this idea to more dimensions allows for |
372 even more levels of access control and more interesting access |
488 even more levels of access control and more interesting access |